Epsilon Interactive's parent company, Alliance Data, apologized Wednesday for a data breach that has left millions of customers of some of the largest U.S. companies wondering if they may soon be the target of spam or phishing attacks.
Alliance Data said the incident -- now under investigation by federal authorities -- will have a minimal effect on its bottom line but worried about the possible impact on its business.
"The company believes the greatest risk to Epsilon and Alliance Data is the potential loss of valued clients," Alliance Data said in a statement, but it "expects this incident to have minimal if any impact on Alliance Data's financial performance."
Alliance Data is one of the country's largest marketing data firms. Recently, someone broke into its subsidiary's computer systems and downloaded customer names and e-mail addresses belonging to nearly 60 Epsilon customers, who use the marketing company to send e-mail messages to customers. Although the affected customers represented just 2 percent of Epsilon's 2,500 clients, they amount to a who's who of U.S. business.
Companies such as Citibank, Verizon, Marriott and Walgreens have sent out millions of notification e-mails this week, warning customers that their e-mail addresses have been stolen, and telling them to be on the lookout for phishing messages or spam. Many consumers say they received several of these notification messages.
Security experts say that knowing people's names, e-mail addresses and the companies they do business with makes it easier for scammers to craft believable "spear-phishing" messages. They worry that the breach could lead to a rash of spam or targeted phishing attacks.
Neither Epsilon nor Alliance Data will say how many customers are being notified, but they say that only customer names and e-mail addresses -- not Social Security numbers or account information -- were stolen.
"We fully recognize the impact this has had on our clients and their customers, and on behalf of the entire Alliance Data organization, we sincerely apologize," Alliance Data said in its statement Wednesday. "We will leave no stone unturned and are dealing with this malicious act by highly sophisticated cyber-thieves with the greatest sense of urgency."
Alliance Data says that the 40 billion e-mail messages that Epsilon sends out each year continue to be pumped out. "Epsilon's e-mail volumes are not expected to be significantly impacted," the company said.
One client that's been caught up in the breach, Verizon, wouldn't say whether it plans to continue to do business with the e-mail service provider. "We are continually reviewing our agreements with vendors and contractors and making whatever changes are in the best interest of our business," said Verizon spokesman Clifford Lee, when asked if Verizon plans to continue to employ Epsilon.
The Web site Databreaches.net has compiled a list of all affected companies, counting 57 organizations to date. They are:
1. 1-800-FLOWERS
2. AbeBooks
3. Air Miles Reward Program
4. Ameriprise
5. Barclays Bank of Delaware ( Barclay's L.L. Bean Visa card)
6. Beachbody
7. Bebe
8. Best Buy
9. Best Buy Canada Reward Zone
10. Benefit Cosmetics
11. Brookstone
12. Capital One
13. Charter Communications
14. Citibank (ExxonMobil Card, Home Depot Card, Sears, NTB Card)
15. City Market
16. College Board
17. Crucial
18. Dell Australia
19. Dillons
20. Disney Destinations
21. Eddie Bauer Friends
22. Eileen Fisher
23. Ethan Allen
24. Eurosport Soccer (Soccer.com)
25. Food 4 Less
26. Fred Meyer
27. Fry's
28. Hilton Honors
29. Home Shopping Network
30. Jay C
31. JPMorgan Chase
32. King Soopers
33. Kroger
34. Lacoste
35. Marriott Rewards
36. Marks & Spencer
37. McKinsey Quarterly
38. MoneyGram
39. New York & Company
40. QFC
41. Ralphs
42. Red Roof Inn
43. Ritz-Carlton
44. Robert Half International
45. Scottrade
46. Smith Brands
47. Target
48. Tastefully Simple
49. TD Ameritrade
50. TIAA-CREF
51. TiVo
52. US Bank
53. Verizon
54. Viking River Cruises
55. Visa (Barclays Bank of Delaware/L.L. Bean Visa, BJ's Visa)
56. Walgreens
57. World Financial Network National Bank (Ann Taylor, Dressbarn, Express card, Catherine's, J Crew, Lane Bryant, RadioShack, The Limited, Victoria's Secret)
(IDG News Service has been working with Databreaches.net to compile the list of affected companies. It is reprinted here with permission.)
